Microsoft has opened the lid on a large-scale phishing-as-a-service (PHaaS) operation that is concerned in promoting phishing kits and e-mail templates in addition to offering internet hosting and automatic companies at a low price, thus enabling cyber actors to buy phishing campaigns and deploy them with minimal efforts.
“With over 100 obtainable phishing templates that mimic recognized manufacturers and companies, the BulletProofLink operation is liable for most of the phishing campaigns that affect enterprises in the present day,” Microsoft 365 Defender Risk Intelligence Group said in a Tuesday report.
“BulletProofLink (additionally known as BulletProftLink or Anthrax by its operators in numerous web sites, adverts, and different promotional supplies) is utilized by a number of attacker teams in both one-off or month-to-month subscription-based enterprise fashions, creating a gentle income stream for its operators.”
The tech big mentioned it uncovered the operation throughout its investigation of a credential phishing marketing campaign that used the BulletProofLink phishing equipment on both on attacker-controlled websites or websites supplied by BulletProofLink as a part of their service. The existence of the operation was first made public by OSINT Fans in October 2020.
Phishing-as-a-service differs from conventional phishing kits in that not like the latter, that are offered as one-time funds to realize entry to packaged recordsdata containing ready-to-use e-mail phishing templates, they’re subscription-based and observe a software-as-a-service mannequin, whereas additionally increasing on the capabilities to incorporate built-in web site internet hosting, e-mail supply, and credential theft.
Believed to have been energetic since at the least 2018, BulletProofLink is understood to function a web based portal to promote their toolset for as a lot as $800 a month and permit cybercrime gangs to register and pay for the service. Clients can even avail of a ten% low cost ought to they decide to subscribe to their publication, to not point out pay wherever between $80 to $100 for credential phishing templates that enable them to steal credentials entered by unsuspected victims upon clicking a malicious URL within the e-mail message.
Troublingly, the stolen credentials will not be solely despatched to the attackers but additionally to the BulletProofLink operators utilizing a method referred to as “double theft” in a modus operandi that mirrors the double extortion assaults employed by ransomware gangs.
“With phishing kits, it’s trivial for operators to incorporate a secondary location for credentials to be despatched to and hope that the purchaser of the phish equipment doesn’t alter the code to take away it,” the researchers mentioned. “That is true for the BulletProofLink phishing equipment, and in instances the place the attackers utilizing the service acquired credentials and logs on the finish of every week as an alternative of conducting campaigns themselves, the PhaaS operator maintained management of all credentials they resell.”